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THE CLAIMS 

A complete listing of all of originally filed Claims 1 - 33 is provided below, A status 
identifier is provided for eacli claim in a parenthetical expression following each claim 
number. 

1. (Previously Presented) A distributed firewall (DFW) for use on an end system, 
comprising: 

an end system authentication component for providing user authentication 
for connection attempts from users attempting to access the end system via a network; 

an end system access control component for providing purpose authorization 

for authenticated users based on rules in a connection policy associating users with 
purposes; and 

an end system enforcement component for enforcing the connection policy 
rule for one of the authenticated users from whom traffic is received at the end system; ar\4 

wherein the end svstem authentication component utilizes an aggregate of 
the users in the connection policy to authenticate at least one of the users. 

2. (Currently Amended) The DFW of claim 1, wherein the end system 
authentication component utilizes Internet key exchange (IKE) protocol to authenticate users 
in IKE main mode (MM) based on the aggregate of users in the connection policy. 

3. (Currently Amended) The DFW of claim 2, wherein the end system 
authentication component utilizes the rule in the connection policy associated with the 
authenticated user in IKE quick mode (QM) to complete the authentication. 

4. (Currently Amended) The DFW of claim 3, wherein the end system 
authentication component transmits a secure notify message to the authenticated user when 
the authenticated user sends traffic in QM that exceeds an authority governed by the rule in 
the connection policy associated with the authenticated user. 
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5. (Currently Amended) The DFA/V of claim 3, wherein the end system 
enforcement component utilizes Internet protocol security (IPSec) protocol to maintain 
security of communications from the authenticated user when the communications are 
within the rule in the connection policy. 

6. (Currently Amended) The DFW of claim 5, wherein the end system 
enforcement component enables IPSec on a socket for communications from the 
authenticated user and binds the socket in exclusive mode so that the context of the binder 
of the socket is preserved. 

7. (Currently Amended) The DFW of claim 1, further comprising an end system 
inspection component for inspecting packets from an authenticated user. 

8. (Original) The DFW of claim 1, wherein the connection policy is defined 
in a pluggable policy component. 

9. (Original) The DFW of claim 8, wherein the pluggable policy component 
is downloaded from a centralized administrative policy. 

10. (Original) The DFW of claim 8, wherein the pluggable policy component 
is modifiable on the end system. 

1 1 . (Currently Amended) The DFW of claim 1 0, further comprising an end system 
access control component through which the connection policy may be defined. 

12. (Currently Amended) The DFW of claim 1, further comprising an end system 
access control component having a user interface (Ul) through which the connection policy 
is defined. 
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13-33. (Withdrawn) 
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REMARKS 

Reconsideration and allowance of Claims 1-12 are respectfully requested. 

With regard to the present amendments, the current amendments to the claims are 
intended to recite that the claimed features are end system features. These amendments 
further emphasize that which is already recited in the preamble of independent Claim 1, 
from which Claims 2-12 depend, that is "A distributed firewall (DFW) for use on an end 
system." No new subject matter is intended to be added by these amendments. Favorable 
consideration is respectfully requested. 

The Reiection Under 35 U.S.C. ^ 102(b) 

The rejection of Claims 1, 5, and 7-12 under 35 U.S.C. §1 02(b) as being anticipated 
by Nessett, et al. (U.S. Patent No. 5,968,176; hereafter "Nessett") has been repeated. The 
Applicant respectfully maintains its traversal to this rejection, and further maintains its 
request that this rejection be reconsidered and withdrawn. 

Once again, as emphasized by the present amendments to the claims, the Applicant 

respectfully submits that Nessett fails to teach every element of Claim 1, from which the 

remainder of Claims 5 and 7-12 depend, as required by MPEP §2131, which states, in part: 

"A claim is anticipated only if each and every element as set 
fort in the claim is found, either expressly or inherently 
described, in a single prior art reference." Verdegaal Bros. v. 
Union Oil Co. of California, 814 F.2d 628, 631, 2 USPQ2d 
1051, 1053 (Fed. Cir. 1987). 

In particular, the distributed firewall (DFW) of Claim 1 recites, in part, "an end system 
access control component for providing purpose authorization for authenticated users 
based on rules in a connection policy associating users with purposes." The Applicant 
submits that this feature is not described, expressly or inherently, by Nessett. More 
specifically, to support the assertion of anticipation with regard to the "end system access 
control component" of Claim 1, the rejection references Nessett, column 12, lines 10, 11, 
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and 17-19; and Nessert, column 16, lines 6-10. However, the modem described in column 
12 provides firewall functionality in network-based access servers, and the network 
interface card (hereafter "NIC") described in columns 12 and 16 enforce security rules 
supported by a network-based server. Thus, neither the network-based modem nor 
network-supported NIC described Nessett anticipate the presently claimed end system 
access control component. 

Further, Nessert fails to teach, or suggest, the claimed "end system enforcement 
component." Rather, as described on column 16, lines 10-12, Nessett describes filtering 
rules that are installed to and applied by an access server. 

Therefore, it is respectfully submitted that the network-based firewall system 
described by Nessett fails to anticipate the "distributed firewall (DFW) for use on an end 
system " (emphasis added) recited in Claim 1 . Based on their dependency upon Claim 1 , it is 
further submitted that Claims 5 and 7-12 are similarly distinguishable over Nessett. 

For at least the reasons advanced above, it is respectfully requested that the 
rejection under 35 U.S.C. §1 02(b) be reconsidered and withdrawn. 

The Reiection Under 35 U.S.C. S 103(a) 

The rejection of Claims 2-4 under 35 U.S.C. §1 03(a) as being unpatentable over 
Nessett in view of Harkins, et al. (RFC 2409, "The Internet Key Exchange"; hereafter 
"Harkins") has also been repeated. The Applicant respectfully maintains its traversal to this 
rejection as well, and further maintains its request that this rejection be reconsidered and 
withdrawn. 

In particular. Claims 2-4 depend from Claim 1 , either directly or indirectly; and Claim 
1 is patentably distinguishable over Nessett for at least the reasons set forth above, 
particularly in view of the current amendments. With further regard to independent Claim 1 , 
the Applicant respectfully submits that Harkins does not provide any teachings that are able 
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to compensate for the above-described deficiencies of Nessett. Specifically, Harkins does 
not teach or suggest the end system features that are presently claimed, nor is such an 
assertion made in the rejection. 

Therefore, based on their dependency upon Claim 1, it is respectfully submitted that 
Claims 2-4 are distinguishable over Nessett and Harkins, both singularly and in combination 
together. Accordingly, for at least the reasons set forth above, it is respectfully requested 
that the outstanding rejection under 35 U.S.C. § 103(a) be reconsidered and withdrawn. 
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Conclusion 

The remaining references of record have been studied. It is respectfully submitted 
that they do not compensate for the deficiencies of the references cited to reject Claims 1- 
12. 

All objections and rejections having been addressed, it is respectfully submitted that 
the present application is now in condition for allowance. Early and forthright issuance of a 
Notice to that effect is earnestly solicited. 

Respectfully submitted, 
IVIICROSOFT CORPORATION 



Date : December 07, 2005 By j/^^yZa/ 

Davifl S. Lee 
Reg^. No. 38,222 

Direct Phone No,: 425-703-8092 
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